Cyber Resilience

CVE-2025-12138

High

Published: 21 November 2025

Published
21 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 45.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12138 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-12138 affects the URL Image Importer plugin for WordPress in all versions up to and including 1.0.6. The vulnerability is an arbitrary file upload flaw stemming from insufficient file type validation in the uimptr_import_image_from_url() function. Specifically, the plugin relies on a user-controlled Content-Type HTTP header for validation while writing the uploaded file to the server before performing proper checks, enabling attackers to bypass restrictions.

Authenticated attackers with Author-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By supplying a malicious file with a spoofed Content-Type header, they can upload arbitrary files to the affected WordPress site's server. This may lead to remote code execution if a PHP file is uploaded, as indicated by the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and association with CWE-434 (Unrestricted Upload of File with Dangerous Type).

References provided include links to vulnerable code locations in the plugin's source file (url-image-importer.php) at lines 1319, 1353, 1358, and 198, as well as changeset 3395852 in the WordPress plugins trac repository, which security practitioners should review for patch details and mitigation guidance.

EU & UK References

Vulnerability details

The URL Image Importer plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.0.6. This is due to the plugin relying on a user-controlled Content-Type HTTP header…

more

to validate file uploads in the 'uimptr_import_image_from_url()' function which writes the file to the server before performing proper validation. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible via the uploaded PHP file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Arbitrary file upload vulnerability in a public-facing WordPress plugin enables remote code execution via uploaded PHP files, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-56975Shared CWE-434
CVE-2019-25580Shared CWE-434
CVE-2026-27636Shared CWE-434
CVE-2026-4809Shared CWE-434
CVE-2020-37090Shared CWE-434
CVE-2026-24729Shared CWE-434
CVE-2026-28289Shared CWE-434
CVE-2026-1730Shared CWE-434
CVE-2023-50897Shared CWE-434
CVE-2025-70457Shared CWE-434

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely identification, reporting, and patching of the arbitrary file upload flaw in the URL Image Importer plugin.

prevent

Mandates validation of information inputs like file uploads at entry points, preventing bypass via spoofed Content-Type headers in the uimptr_import_image_from_url() function.

preventdetect

Deploys malicious code protection at system entry points to scan and eradicate arbitrary PHP files uploaded through the vulnerable plugin function.

References